May 21, 2020 Other options are available (stop, start, and disable) for configuring the SSH service. Determine IP Address. To connect to the remote device over SSH, you’ll need to know the IP address of the machine. You have two easy ways to find this: Run a terminal command; Check the router; To display the IP address of the remote system, logon and run. 2) Add public key to /.ssh/authorizedkeys file on remote host. Simple way to do this is, using ssh-copy-id command. $ ssh-copy-id -i /.ssh/idrsa.pub email protected In above command:-i option indicates identity file /.ssh/idrsa.pub is identity file; remaining text is remote user and remote server IP; NOTE: Never share your private key.
This article provides steps for connecting to a cloud server froma computer running Linux® or MacOS® X by using Secure Shell (SSH).It also discusses generating an SSH key and adding a public key tothe server.
SSH is a protocol through which you can access your cloud server and runshell commands. You can use SSH keys to identify trusted computers withoutthe need for passwords and to interact with your servers.
SSH is encrypted with Secure Sockets Layer (SSL), which makes it difficultfor these communications to be intercepted and read.
Note: Many of the commands in this article must be run on your localcomputer. The default commands listed are for the Linux command line orMacOS X Terminal. To make SSH connections from Windows®, you can use a clientsimilar to the free program, PuTTY.To generate keys, you can use a related program, PuTTYGen.
Using the Internet Protocol (IP) address and password for your cloud server, log in byrunning the following ssh
command with username@ipaddress
as the argument:
The system prompts you to enter the password for the account to which you’reconnecting.
If you rebuilt your cloud server, you might get the following message:
One of the security features of SSH is that when you log in to a cloudserver, the remote host has its own key that identifies it. When you tryto connect, your SSH client checks the server’s key against any keysthat it has saved from previous connections to that IP address. After yourebuild a cloud server, that remote host key changes, so your computerwarns you of possibly suspicious activity.
To ensure the security of your server, you canuse the web console in the Cloud Control Panel to verify your server’s new key.If you’re confident that you aren’t being spoofed, you can skip thatstep and delete the record of the old SSH host key as follows:
On your local computer, edit the SSH known_hosts
file and remove anylines that start with your cloud server’s IP address.
Note: Use the editor of your choice, such as nano
on Debian or theUbuntu operating systemor vi
on RPM or CENTOS servers. For simplicity, this article just uses nano
. If you prefer to use vi
,substitute vi
for nano
in the edit commands.For more on using nano
, seehttps://support.rackspace.com/how-to/modify-your-hosts-file/.
If you are not using Linux or MacOS X on your local computer, thelocation of the known_hosts file might differ. Refer to your OS forinformation about the file location. PuTTY on Windows gives you theoption to replace the saved host key.
You can secure SSH access to your cloud server against brute forcepassword attacks by using a public-private key pair. A public key is placed onthe server and a matching private key is placed on your local computer. If youconfigure SSH on your server to accept only connections using keys,then no one can log in by using just a password. Connecting clientsare required to use a private key that has a public key registered onthe server. For more on security, reviewLinux server security best practices.
Use the following steps to generate an SSH key pair:
Run the following command using your email address as a label.Substitute your email address for your_email@example.com
inthe command.
A message indicates that your public-private RSA key pair isbeing generated.
At the prompt, press Enter to use the default location or entera file in which to save the key and press Enter.
If you want the additional security of a password for the key pair,enter a passphraseand press Enter. If you don’t want to use a passwordwith the key pair, press Enter to continue without setting one.
Your key pair is generated, and the output looks similar to the following example:
Optionally, add your new key to the local ssh-agent file to enableSSH to find your key without the need to specify its location everytime that you connect:
You can use an SSH configuration shortcut instead of the ssh-agent fileby following the instructions in the Shortcut configuration sectionlater in this article.
To make it easy to add your key to new cloud servers that you create,upload the public key to your cloud account by following these steps:
Paste the contents of the id_rsa.pub file that you created intothe Public Key field. You can get the file contents by eitheropening the file in a text editor or by running the followingcommand:
If you want to add the key manually, instead of by using the Control Panel, reviewLinux server security best practicesand use the following command:
When you create a new cloud server, you can add a stored key to the newserver.
On the Create Server page, expand the Advanced Options section.
From the SSH Key menu, select your key from the list.
If you don’t see a stored key in the list, you can perform one of the following actions:
You can’t use the Cloud Control Panel to add a public key to anexisting server. Follow these steps to add the key manually:
On your cloud server, create a directory named .ssh in the homefolder of the user that you connect to by using SSH.
Create or edit the authorized_keys file and add your public key tothe list of authorized keys by using the following command:
A key is all on one line, so ensure that the key isn’t broken byline breaks. You can have multiple keys in the authorized_keysfile, with one key per line.
Set the correct permissions on the key by using the following commands:
If you have any issues and need to fix permissions issues, run the following comand:
After you have added the public key to the authorized_keys, you can make an SSHconnection by using your key pair instead of the account password.
Use the following instructions to set up a connection shortcut by creating a~/.ssh/config file on your local computer and adding your server and keydetails to it.
Using a text editor, add the following text to the ~/.ssh/config file, changing thevalues to match your server information:
Each of the following entries describes a feature of the server:
After you set up the config file, connect to the server by usingthe following command with your shortcut name:
If you have trouble making a new connection after you restart theserver, use the following steps to help you resolve the issue:
The best way to troubleshoot SSH or SFTP login issues is to attempt tologin through SSH while logged into the Emergency Console and to watch the log,which typically includes the reason for a failure. If no reason is given,it could be a firewall issue. For RPM servers, run the following command to watch the log:
For Debian servers, run the following command to watch the log:
connection timeout
error, check the IP address thatyou used to ensure that it’s correct. You might also check theserver’s iptables to ensure that it isn’t blocking the port used by SSH.connection refused
error, you might be trying to useSSH with the wrong port. If you changed your server to listen to aport other than 22, use the -p
option with SSH to specifythe port.sshd
configuration to allow passwordconnections by setting PasswordAuthentication
to yes
. Restartthe server and try again. If you connect after these changes, thenthe issue is with the key and you must verify that the key is in theright place on the server.If all else fails, review your changes and restart the SSH daemon onthe server by running the following command:
If you get a message that the SSH service is unknown, run thecommand with sshd
as the service name instead.
©2020 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License
-->PowerShell remoting normally uses WinRM for connection negotiation and data transport. SSH is nowavailable for Linux and Windows platforms and allows true multiplatform PowerShell remoting.
WinRM provides a robust hosting model for PowerShell remote sessions. SSH-based remoting doesn'tcurrently support remote endpoint configuration and Just Enough Administration (JEA).
SSH remoting lets you do basic PowerShell session remoting between Windows and Linux computers. SSHremoting creates a PowerShell host process on the target computer as an SSH subsystem. Eventuallywe'll implement a general hosting model, similar to WinRM, to support endpoint configuration andJEA.
The New-PSSession
, Enter-PSSession
, and Invoke-Command
cmdlets now have a new parameter set tosupport this new remoting connection.
To create a remote session, you specify the target computer with the HostName parameter andprovide the user name with UserName. When running the cmdlets interactively, you're prompted for apassword. You can also, use SSH key authentication using a private key file with the KeyFilePathparameter.
PowerShell 6 or higher, and SSH must be installed on all computers. Install both the SSH client(ssh.exe
) and server (sshd.exe
) so that you can remote to and from the computers. OpenSSH forWindows is now available in Windows 10 build 1809 and Windows Server 2019. For more information, seeManage Windows with OpenSSH. For Linux,install SSH, including sshd server, that's appropriate for your platform. You also need to installPowerShell from GitHub to get the SSH remoting feature. The SSH server must be configured to createan SSH subsystem to host a PowerShell process on the remote computer. And, you must enablepassword or key-based authentication.
Install the latest version of PowerShell, see Installing PowerShell Core on Windows.
You can confirm that PowerShell has SSH remoting support by listing the New-PSSession
parametersets. You'll notice there are parameter set names that begin with SSH. Those parameter setsinclude SSH parameters.
Install the latest Win32 OpenSSH. For installation instructions, see Getting started with OpenSSH.
Note
If you want to set PowerShell as the default shell for OpenSSH, seeConfiguring Windows for OpenSSH.
Edit the sshd_config
file located at $env:ProgramDatassh
.
Make sure password authentication is enabled:
Create the SSH subsystem that hosts a PowerShell process on the remote computer:
Note
The default location of the PowerShell executable is c:/progra~1/powershell/7/pwsh.exe
. Thelocation can vary depending on how you installed PowerShell.
You must use the 8.3 short name for any file paths that contain spaces. There's a bug inOpenSSH for Windows that prevents spaces from working in subsystem executable paths. For moreinformation, see this GitHub issue.
The 8.3 short name for the Program Files
folder in Windows is usually Progra~1
. However,you can use the following command to make sure:
Optionally, enable key authentication:
For more information, see Managing OpenSSH Keys.
Restart the sshd service.
Add the path where OpenSSH is installed to your Path environment variable. For example,C:Program FilesOpenSSH
. This entry allows for the ssh.exe
to be found.
Install the latest version of PowerShell, seeInstalling PowerShell Core on Linux.
Install Ubuntu OpenSSH Server.
Edit the sshd_config
file at location /etc/ssh
.
Make sure password authentication is enabled:
Add a PowerShell subsystem entry:
Note
The default location of the PowerShell executable is /usr/bin/pwsh
. The location can varydepending on how you installed PowerShell.
Optionally, enable key authentication:
Restart the sshd service.
Install the latest version of PowerShell, see Installing PowerShell Core on macOS.
Make sure SSH Remoting is enabled by following these steps:
System Preferences
.Sharing
.Remote Login
to set Remote Login: On
.Edit the sshd_config
file at location /private/etc/ssh/sshd_config
.
Use a text editor such as nano:
Make sure password authentication is enabled:
Add a PowerShell subsystem entry:
Note
The default location of the PowerShell executable is /usr/local/bin/pwsh
. The location canvary depending on how you installed PowerShell.
Optionally, enable key authentication:
Restart the sshd service.
PowerShell remoting over SSH relies on the authentication exchange between the SSH client and SSHservice and doesn't implement any authentication schemes itself. The result is that any configuredauthentication schemes including multi-factor authentication are handled by SSH and independent ofPowerShell. For example, you can configure the SSH service to require public key authentication anda one-time password for added security. Configuration of multi-factor authentication is outside thescope of this documentation. Refer to documentation for SSH on how to correctly configuremulti-factor authentication and validate it works outside of PowerShell before attempting to use itwith PowerShell remoting.
Note
Users retain the same privileges in remote sessions. Meaning, Administrators have access to anelevated shell, and normal users will not.
The easiest way to test remoting is to try it on a single computer. In this example, we create aremote session back to the same Linux computer. We're using PowerShell cmdlets interactively so wesee prompts from SSH asking to verify the host computer and prompting for a password. You can do thesame thing on a Windows computer to ensure remoting is working. Then, remote between computers bychanging the host name.
The sudo command doesn't work in a remote session to a Linux computer.
PSRemoting over SSH does not support Profiles and does not have access to $PROFILE
. Once in asession, you can load a profile by dot sourcing the profile with the full filepath. This is notrelated to SSH profiles. You can configure the SSH server to use PowerShell as the default shelland to load a profile through SSH. See the SSH documentation for more information.